News Own Your Online External Link Report it
News Own Your Online External Link
  1. Welcome to the National Cyber Security Centre
  2. Protect your organisation
  3. Response Planning
Minimum Cyber Security Standards

Response Planning

Organisations have in place a process to develop and test cyber-incident management plans to ensure business continuity in the event of system or service failure.

Roles & Audiences

IT Specialist Decision makers Government

PUBLISHED DATE: 30 October 2025

Intent of this Standard

By implementing this Standard, organisations will be better prepared to respond to potential threats and security incidents. In the event of incident realisation, having a response plan will assist in minimising impact and restoring operations.

It is not feasible to have response plans to address all potential incidents. The objective of this standard is for organisations to put in place response plans to address threats that have the greatest combined impact and likelihood. These plans should align to organisations’ risk appetites.

The benefits of having a response plan include:

  • An organised approach, including an agreed understanding across the business of what and how incidents are to be responded to. Security incidents are nearly impossible to predict in advance.
  • Strengthening of overall security through the inclusion of additional resiliency measures.
  • Trust and confidence are increased and/or maintained through knowing an organisation is well-equipped to handle incidents.
  • Compliance requirements are considered and, where appropriate, included within the response plan.

As there are cost and reputational considerations to developing response plans, it is vital that management:

  • understands which financial, time, effort, and resourcing requirements are needed to stand up the plan, and
  • allocates adequate resources to support and maintain the organisation’s environmental posture.

Minimum capability maturity level

We have established criteria within a maturity model to provide clarity, including the expected minimum implementation level, which is CS-CMM 2.

Cyber Security Capability Maturity Model

The requirements are intended to meet and comply with each respective level of maturity. The levels provide a pathway that can be used by agencies to assess themselves against, with a view to improving maturity over time.

Each maturity level builds on the requirement from the preceding level.

Below are the requirements for each capability maturity level for this Standard.

  • CMM 4 Quantitively Controlled
    • Response plans are tested and updated regularly, and they align to business requirements.
    • Adequate oversight and monitoring for response activities is in place and undertaken by third parties/vendors.
    • Response planning aligns to likelihood, impact, and overall risk management, to keep pace with emerging threats.
  • CMM 3 Standardised
    • Response plans are tested enterprise-wide and are updated regularly.
    • Roles and responsibilities for response planning are allocated to job positions and reviewed regularly.
    • Management is supportive of response planning initiatives and allocates investment and resourcing to response activities.
  • CMM 2 Planned and Tracked
    • Response plans are created and updated (including post incident), taking into account likelihood and impact.
    • Roles and responsibilities for response planning are allocated to employees rather than job positions.
    • Management is supportive of response planning initiatives.
  • CMM 1 Informal
    • Minimal response planning procedures are in place.
    • Roles and responsibilities are undefined or poorly defined.
    • No formal testing occurs.

Focus areas

Focus areas are applicable to the Standard and are provided as a guide and not an exhaustive list. Each agency is best placed to identify areas of relevance.

The focus area for this Standard is:

  • Cloud services.

Suggested actions

The following list is not exhaustive. Organisations should identify which actions are appropriate to implement the Standard based on their current maturity level. However, the following actions follow good practice guidelines:

  • Organisations define which events are to be categorised as incidents, factoring in criticality of data, systems under threat, and the level of response for each system tier.
  • Funding and resourcing requirements are identified and allocated.
  • Organisations assign personnel to oversee, create, and implement response plans.
  • Response planning documentation and artefacts are developed.
  • The response plan is communicated to impacted parties.
  • Response plans are tested, lessons learned are incorporated into incident response procedures, and results are communicated to appropriate levels within the organisation.
  • Threat identification and risk likelihood analysis is undertaken regularly and assigned to an organisation’s risk appetite.

Key dependencies

To implement this Standard, there are likely to be requisite measures or technologies in place.

A number of dependencies apply to multiple standards. In general, these dependencies are less technology-specific and relate to business processes.

Key dependencies for this Standard include:

  • There is management support and endorsement. 
  • An organisation has identified and documented what normal business operation looks like. 
  • Roles and responsibilities are defined, including any third parties that will be responsible for carrying out procedures.
  • Defined incident severity thresholds, including levels of response, have been developed and agreed.
  • Relevant documentation (such as mission statements, policies, and procedures).
  • Relevant monitoring metrics (logging, alerting) are in place and reviewed for appropriateness.

Measurable outcomes

To establish whether the Standard is being implemented, the outcomes are a tool an organisation may wish (or already have in place) to measure to help make this determination.

The outcomes have been designed to align with the requirements contained in the maturity level.

Outcomes for this Standard include:

  • Approved budget/investment for response planning activities.
  • Defined system recovery objectives (e.g. Recovery Time Objective/Recovery Point Objective/Acceptable Interruption Window).
  • Incident response plans are updated.
  • Ongoing testing and development of incident response plans and playbooks.
  • Current listing of systems and scenarios that will require response: this could also include evidence of regular review and testing.
  • Clearly defined roles and responsibilities.
  • An organisational threat identification and analysis assessment.
  • Incident communication plan (internally and to stakeholders).
  • Security logging, alerting, and monitoring functionality for incident and threat identifiers.
Applicable NZISM controls

The NZISM controls listed below provide additional detail to assist with the implementation of this Standard and meeting New Zealand Government compliance requirements.

  • Control reference - 5.1.12.C.01.

    Agencies MUST develop an Incident Response Plan and supporting procedures.

    CID: 708

  • Control reference - 5.1.12.C.02.

    Agency personnel MUST be trained in and periodically exercise the Incident Response Plan.

    CID: 709

  • Control reference - 18.3.18.C.01.

    Agencies SHOULD develop a Denial-of-Service response plan including:

    • how to identify the precursors and other signs of DoS,
    • how to diagnose the incident or attack type and attack method,
    • how to diagnose the source of the DoS,
    • what actions can be taken to clear the DoS, 
    • how communications can be maintained during a DoS, and
    • how to report the incident.

    CID: 3782

  • Control reference - 23.5.10.C.01.

    Agencies MUST understand the range of logging capabilities provided by their cloud service providers and determine whether they are sufficient for agency needs.

    CID: 7494

  • Control reference - 23.2.18.C.01.

    Agencies SHOULD obtain regular assurance checks on cloud service providers, ensuring they have been undertaken by a suitably qualified assessor.

    CID: 7397

Topics

Incident management Training Cloud
Top